Despite years of warnings from cybersecurity experts, default passwords remain one of the most persistent and dangerous security flaws in 2025. Default passwords are pre-set login credentials provided by the manufacturer with a device. They're meant to provide first-time access, allowing the user to log in and set up the device.
In early 2025, an IBM/Instana survey revealed that a staggering 86% of router users had never changed the default admin password, and 52% never adjusted any factory settings. Moreover, 89% never update router firmware, 89% leave default network names, and 72% keep the default Wi-Fi password.
These passwords are often easy to guess, well-documented in manuals, and widely shared on forums or even search engines. That makes them low-hanging fruit for attackers scanning the internet for vulnerable devices.
In this article, we’ll break down why default passwords are so dangerous, explore real-world incidents like the Mirai botnet that exploited them, look at why users still fail to change them, and outline what both consumers and manufacturers need to do to finally fix this long-standing problem.
The Scale of the Problem
Mirai Botnet
The Mirai botnet, which first emerged in 2016, is an example of how dangerous default passwords can be. It specifically targeted Internet of Things (IoT) devices like routers, IP cameras, DVRs, and other smart devices that were connected to the internet but poorly secured.
Mirai begins its attack by scanning the internet for devices with open Telnet or SSH ports, which are common services used for remote access. These ports allow administrators to log into devices using command-line interfaces. However, when left unsecured, they become prime entry points for attackers.
To exploit these open ports, Mirai uses a brute-force dictionary attack, cycling through a hardcoded list of over 60 of the most common default usernames and password combinations. Examples include:
admin/admin
root/123456
user/user
guest/guest
root/password
These credentials are frequently the factory defaults set by manufacturers, and shockingly, many users never change them after setup. This widespread negligence makes countless devices vulnerable to Mirai’s automated attacks.
Once a device is compromised, it becomes part of the Mirai botnet, a vast network of infected devices all controlled from a central command-and-control server. These hijacked devices are used for two primary purposes: to scan for and infect other vulnerable devices, and to launch massive distributed denial-of-service (DDoS) attacks. In such attacks, thousands of devices flood targeted servers with traffic, overwhelming their capacity and rendering websites, platforms, or entire internet services temporarily inaccessible.
Why Users Don't Change Default Passwords
There are several reasons people stick with default passwords:
Lack of awareness
Many users simply don’t realize that the default login credentials on their devices are widely known and easily accessible online. In some cases, users don’t even know that login credentials exist for their router, camera, or smart home gadget.
Complex interfaces
Some devices require users to log in through a command line or a confusing web interface just to make basic changes. When instructions are unclear or the interface is clunky, users are more likely to give up and leave settings as-is. This is especially true for non-technical users who may feel intimidated by the process.
Too many devices
The sheer volume of connected devices in modern homes and businesses can be overwhelming. With smart TVs, thermostats, cameras, speakers, doorbells, baby monitors, and more all requiring their own passwords, users can feel burdened by the task of manually securing each one. In enterprise environments, the scale is even greater, and IT teams may overlook or delay changing default settings on non-critical systems, creating openings for attackers.
Why Hackers Love Them
Default passwords are a dream for attackers. Here’s why:
Automated Attacks
Cybercriminals use bots and scripts that scan vast IP ranges, automatically looking for devices with open ports like Telnet, SSH, or HTTP admin panels. These tools rapidly cycle through massive lists of known default credentials, often targeting hundreds or thousands of devices per minute. Because many users never change the factory settings, attackers can gain access with minimal effort, no password cracking or vulnerability exploitation required.
No Alerting
Most consumer-grade and even some commercial IoT devices don’t notify users when someone is attempting to log in, or even when they’ve successfully logged in from a new location or suspicious IP address.
No Lockout Mechanism
Many devices also lack a lockout mechanism, meaning there’s no penalty or cooldown after multiple failed login attempts. Unlike modern web applications that enforce two-factor authentication (2FA), rate limiting, or CAPTCHA challenges, IoT and embedded systems often allow unlimited brute-force attempts without delay, making them especially vulnerable to credential stuffing attacks.
Persistence
Once inside, attackers can achieve persistence. They may install malware, launch botnet agents like Mirai, or reconfigure the device to secretly forward traffic or exfiltrate data. Even worse, a compromised device can serve as a pivot point, giving attackers a jumping-off position to explore the rest of the network, escalate privileges, or attack higher-value systems such as workstations, file servers, or cloud services.
What Needs to Change
For Users:
Immediately change the default password after setup.
The first step is to immediately change the default password on any device as soon as it’s powered on. This includes routers, cameras, smart home devices, and even printers or network storage. Replacing factory-set credentials with strong, unique passwords helps shut the most common door attackers use to get in.
Update device firmware to fix known security issues.
Users should regularly update firmware to ensure known vulnerabilities are patched. Many newer devices offer auto-update options; enable these whenever possible.
Segment your network
Placing smart home or IoT devices on a separate guest or Virtual Local Area Network (VLAN) prevents attackers from easily jumping from a compromised camera or thermostat to your laptop or work systems.
For Manufacturers:
Force password changes during initial setup.
Devices should force a password change during the initial setup, ideally blocking further use until the user sets a secure credential. Better yet, each unit should come with randomized, unique default credentials, no more “admin/admin” for every product sold.
Include lockout and rate-limiting mechanisms.
To reduce the impact of brute-force attacks, devices must include basic protections like account lockout and rate limiting. After a few failed login attempts, the device should block further access temporarily or require human intervention, just like modern banking or email services. In addition, manufacturers should ensure clear, user-friendly instructions are included for secure setup, and where possible, offer security-focused setup wizards that guide users through the process.
Conclusion
Default passwords are a silent, persistent threat in our connected world. From your smart speaker to your industrial sensor, any internet-enabled device can become an entry point for attackers if left unsecured. Until users and manufacturers treat IoT security seriously, default passwords will continue to be a massive vulnerability, one that cybercriminals are more than happy to exploit.
Read more on my blog: www.guardingpearsoftware.com!
Top comments (0)